I am not sure what is happening

users like this are registering on my site

hlpx7h@mistacronks.com
pjy56@mistacronks.com

are these spammers

they do not post any comments for now but i wonder why i have around 10 such users from mistacronks.com

I've posted a bit of info about the current round of attacks at http://technohippie.com/geeklog/public_html/article.php?story=20060825101819593 that might help you sort this out. Be sure to read the comments.

pax, TechnoHippie

Hi

It was me who posted the comment on your site


how did the upload the c99.php

how is that possible and where is the file exactly

Hi garfy I've added to the post and there's an interesting flash demo of how the hack is done posted as well. Check your spamx plugin folder in the GL root directory. That's where I found it on my server.

HTH,
TechnoHippie
http://technohippie.com/geeklog/public_html/

Yeh, mistacronks, mail.ru, cashette.com, gawab.com.. the domains these russian spammers use vary quite a bit. Check for all of these domains in your user lists.

Using spamx, Ban, and Bad Behaviour, I've successfully blocked spams from publicly appearing. Unfortunately they haven't stopped the creation of new user accounts that lie dormant in my list. I presume this is the result of my publicly available new user registration being auto-filled by spam bots.

So I took matters into my own hands.

This could probably be done with a custom registration form properly, but in a rush and a bit confused, I simply hacked the users.php code and adjusted my templates as follows:

In registrationform.thmtl I added an extra field below the user name and e-mail address.

<td align="right"><BR><BR><IMG SRC="mysitedotcom/images/fiveplusfive.jpg" border=0><BR><b>in CAPITAL LETTERS:</b><BR><BR></td>
<td><input type="text" size="16" maxlength="16" name="botcheck"></td>

Note the name of the new field, botcheck. The image is a simple math question, shown as one of those screwy text verification images. The answer is TEN.

Next, in users.php.

function createuser ($username, $email)

is replaced with:

function createuser ($username, $email, $botcheck)

then after

$email = trim ($email);

add

$botcheck = trim ($botcheck);

(This above step actually could be skipped, but I'm using text, so why not.)

Directly under that you will see:

if (COM_isEmail ($email) && !empty ($username)) {

Replace it with:

if (COM_isEmail ($email) && !empty ($username) && $botcheck == 'TEN' {

Change TEN to whatever text you want your user to type in to verify they are human.

Under:

$msg = $LANG04[18]; // invalid email address
}

Add:

if ($botcheck != 'TEN' {
$msg = 'The trivia question must be answered to verify you are human.'; // botcheck failed

Again, this TEN must match the word you've chosen for a human to verify themselves.

That's it! I did this, and boom - not a single spam user created since. Humans have no problems. Obviously you will have to use an image that asks the user to enter the verification text you've chosen. See mine at rewindvideo(dot)calm.

Important notes:

1) Backup your original users.php before uploading the hacked one.
2) This isn't flawless: an incorrect username or e-mail returns a blank page instead of a proper error code. I haven't had the chance to fix that.
3) This ain't no snazzy encrypted security system, it's just a lil' something to confuse a simple submission bot. Use at your own risk.
4) I'm no PHP expert, I just threw this together. Hopefully it's a starting ground for a better coder.

Improvements are welcome! I'm thinking about making this into a proper plug-in sometime that can support of randomly selected questions stored in a GL table. We'll see.


Jon

This is what I've been looking for since I read all the trouble folks are having with the GL Captcha plugin. I didn't bother ... waiting for something less buggy. I don't trust buggy I don't use a custom registration and my new user chooses the password.

Another thing I thought about doing was moderating the signups ... the problem is that the c99.php shell script works around authentication. I don't have trouble with typical spam that we've all grown to know and love. It's the excrement from the Captain Crunch Team over at ccteam.ru

This relates back to the last posted exploit that inspired the newest version of Geeklog. The fix was too late because the tunnels were already dug on the ports. I missed some red flags early on and the sleeper woke up. Thier site is fairly new and they uploaded the shell script in early July before the patch was offered ... I didn't find it until a few days ago after all my trouble started. It's all good for now. *big smile*

isn't there an option that the admin should confirm the activation of each account

that would be the best I think

theses users are like plague

I get 5 of them each day, do you think that that is a spam bot or the human is doing it??

There are a bunch of responses to this problem. This was mine. There are several others if you search the forums.

Yes, you can moderate user submissions, but a) I don't want to be going in daily determining fake users from real ones every day and b) I want my legit users to be able to begin posting immediately.

My method allows that. And yes, your five or so a day are likely bots.

A shell script could get around just about anything. The only defense against this I suppose is to run a tight ship, keep your software up to date, and check back here frequently to see what other users have been dealing with. I wonder if these shell scripts have anything in common that could be detectable, say with a daily scan of newly uploaded php files. Food for thought.

I've been getting a lot of mistacronks, xxxxx%40hotmail.com, gawab, mail.ru and cashette.com registrations recently, as well. I did two hacks to system/lib-user.php to first log all user creations, then block some of them based on the logging. First, the patch to lib-user.php function USER_createAccount (this is on 1.3.11sr7-1); logs new user creation to COM_accessLog and records in COM_errorLog those creation attempts that do not contain HTTP_REFERER:



Next, the results of the creation log of a bad user, basically just logging all $_SERVER and $_POST variables. This one does contain HTTP_REFERER; therefore, it bypassed the check:



I'm dealing with two distinct domains that have nothing more to do with each other than being hosted on the same physical machine. On the first one, the HTTP_REFERER check works like a charm; I get these entries in errorLog:


On the second domain, user creation attempts:
1) contain HTTP_REFERER, which means it's either being spoofed or the script is actually visiting the page first to load the correct referer;
2) Don't fill entries correctly in PhpBBBridge; I had to hack the delete function in the Bridge to allow me to delete users from GL that don't have valid phpBB accounts.

I noticed a strange entry in the above $_SERVER variable log: HTTP_ORACLE_ECID. I'm not runnig oracle, and I'm not on 10.x.x.x subnet, so I'm guessing this originates from the client/script....?

I hope this info will be useful to someone besides me....

I think what I'm going to work on this weekend is a hack to allow blacklisting domains/regex on registration.

Just a note: Instead of hacking users.php, all these checks could be implemented using the custom registration API.

bye, Dirk

OK...I have the start for domain blacklist code. I'm still working in lib-user.php; I want the code working before I start trying to figure out customer user functionality....

Anyway, I need some advice. Here's my code:



Also available at: http://www.spywarefix.org/pastebin/pastebin.php?show=4

My problem is that I'm a bit weak on my SQL....I'm having trouble figuring out how to query against wildcards or substrings in the domain. If I can get this straightened out, I'll add username blacklisting too.

Derek: I'll try to implement this into custom user registration once I get it all working....

I installed (Geeklog CAPTCHA Implementation v0.4) and tried to make it work. But all I can surmise is that I don't have ImageMagic installed because I get a broken image on the registration form. I followed the instructions to the tee.

I really need help with this. I'm getting the same stuff from mistacronks.com.

Please somebody help me if you can.

viasoul,

The CAPTCHA implementation has the option to use the GD libs or ImageMagick, have you tried both? Also, you can turn on the debug (all of this is in the README) when using ImageMagick and it will log the ImageMagick command to your error.log file. If you have shell access to your server, you can run by hand and see if there are any problems.

If you are still having issues, I'll be happy to take a closer look at your system, you can contact me offline at mevans0263@gmail.com if you wish.

Thanks!
Mark

Consider this a bump, but I have an added comment and 2 questions.

When we had GL 1.3.8 implemented on our site, I hacked the new user confirmation email to EXCLUDE the username and password field (Gaming clan, we audition new recruits). Since then I have upgraded to GL 1.3.11sr5 (and yes, after reviewing this issue, I will upgrade to 1.3.11sr7-1, just to be up to date ), and it seems that my hack has been overwritten. I still have my custom added text which resides in the english.php file, but the login and pw fields are back. I did some digging and again applied the exclusion hack to /system/lib-user.php by just commenting out the lines that contain $username and $passwd in function USER_createAndSendPassword. This way, the new user gets an email with further instructions, but no login info. Hope this hack helps someone. YMMV

Now, for my questions:

1- Does this c99.php file bypass all of the new user registration stuff, or does the script seem to rely on information provided in a confirmation email? Time will tell as we'll see if I get any more new user registrations from the above mentioned spammer domains, unless anyone knows otherwise.

2- Is this particular attack being executed on more than one version of GL? Like I said before, I have one site running GL 1.3.11sr5 that was compromised, and two other sites running GL 1.4.0sr5-1 that (so far) are ok. ...but I think new user registration is turned off on both of those!

---

Synergy - Stability - Style --- Visit us at glfusion.org

A much easier solution is to use the built-in "welcome email hack". I would have pointed you to the wiki page explaining it, but since it's down at the moment ... Anyway, you can have a customized welcome email in a file that Geeklog will then send out instead of the standard text. No need to change any core files.



You'll need to upload that c99.php file first. There were two vulnerabilities in Geeklog which let you upload arbitrary files. Both have been fixed of course in the most recent releases.

bye, Dirk

mevans,

Thanks man. I'll contact you asap.

But for the record this is what I set the captcha.php file to:


I'm running MediaGallery by using GD libs so this is the reason I thought these settings would work. Am I missing something?

Again, this issue was that signup form had a broken image rendering the form useless since no one could enter the image's information.

Bare with me here, I'm a total idiot when it comes to this kind of stuff. I'm just an interface designer that was lucky enough to stumble into GL. Now I need my hand held everytime something goes wrong. Sorry.

FYI - I installed Dirk's Bad Behavior plugin and that stopped the Mistacronks gang from adding new users to my system

---

basics4mac.com

but where is it

where to download it

and can there e set a confirmation code to type when registering so the auto spam bots could not register???